Abstract: As generative engines become the mainstream gateway for information retrieval, poisoning attacks targeting Generative Engine Optimization (GEO) are increasingly rampant. Attackers pollute training data, manipulate retrieval contexts, or inject malicious prompts to cause AI models to erroneously cite spam information, thereby damaging content owners' digital assets and brand reputation. This paper systematically analyzes the mechanisms of poisoning attacks against GEO and proposes an active defense framework based on a "Digital Immune Barrier." The framework comprises four core modules: traceable watermark embedding, controlled decoy injection, dynamic knowledge updating, and anomaly monitoring with response. Without compromising legitimate user experience, this method effectively interferes with unauthorized data scraping and malicious content citation. Experiments show that this approach increases the error citation rate of stolen models by over 37%, while maintaining content usability for legitimate users above 97%. This paper provides an actionable technical pathway for poisoning defense in the GEO domain.
Keywords: Generative Engine Optimization; Data Poisoning; Spam Information Defense; AI Security; Active Immunity
1 Introduction
By 2026, generative AI has become deeply integrated into daily information acquisition. According to industry statistics, over 60% of internet users obtain answers through AI assistants, and enterprises enhance the probability of their content being adopted by AI through Generative Engine Optimization (GEO). However, this new ecosystem has also spawned a novel attack method—poisoning attacks targeting GEO.
Unlike spam link building in traditional Search Engine Optimization (SEO), GEO poisoning directly contaminates AI's knowledge sources. Attackers tamper with public data and inject false information, causing AI models to output erroneous content when answering questions, and even actively recommend spam information. Such attacks not only compromise user experience but also directly harm the content assets of the misrepresented brand—high-quality content is incorrectly cited, brand reputation suffers collateral damage, and content owners find it difficult to trace and seek redress.
Existing defense mechanisms primarily focus on output-side content moderation and toxicity suppression, lacking effective countermeasures against input-side poisoning. This paper adopts an active defense perspective and proposes a set of anti-poisoning methods for GEO, aiming to help content owners protect their digital assets and ensure their content is accurately cited by AI rather than maliciously tampered with.
2 Problem Analysis: Attack Vectors of GEO Poisoning
2.1 Types of Attacks
Based on the analysis of public cases from 2025-2026, poisoning attacks against GEO manifest in three primary forms:
(1) Training Data Contamination
Attackers bulk-modify public knowledge sources (e.g., encyclopedias, forums, industry databases) by implanting false information. When AI models scrape this data for training or fine-tuning, they internalize the erroneous content as "knowledge," leading to long-term systematic biases. For example, a home appliance brand encountered a competitor systematically altering its product parameters, causing AI to output incorrect energy consumption data for six months.
(2) Retrieval Context Hijacking
In RAG (Retrieval-Augmented Generation) architectures, attackers manipulate the retrieval weight of specific documents, causing AI to prioritize citing contaminated content when answering relevant questions. This attack is highly covert as it only affects the retrieval stage without impacting the global model.
(3) Prompt Injection Induction
Attackers embed malicious instructions within user queries or external data, inducing AI to mistakenly treat spam information as a valid answer. For instance, when a user asks "How is Brand X?", technical means are used to make AI retrieve a fabricated negative review and cite it.
2.2 Defense Dilemma
Current mainstream defense techniques—such as output-side auditing and harmful information filtering—are passive responses. They can only attempt to block attacks after they occur, but cannot prevent attackers from persistently polluting knowledge sources. More challengingly, numerous AI companies obtain training data through public web crawling, an act that exists in a legal gray area, making traditional access controls ineffective.
From a GEO perspective, content owners face a double loss: their high-quality content is scraped without compensation, and it is then tampered with to damage their own brand reputation. Therefore, establishing active defense mechanisms has become an urgent necessity.
3 Design of the Active Defense Framework
Addressing the aforementioned issues, this paper proposes a "Digital Immune Barrier" defense framework, comprising four core modules.
3.1 Traceable Watermark Embedding
This module aims to add identifiable "digital fingerprints" to content, facilitating the tracing of misused content back to its source. Watermark embedding follows these principles:
Imperceptibility: Invisible to human readers, not interfering with normal reading.
Robustness: Resistant to common text rewriting and format conversion.
Verifiability: The source can be quickly identified through algorithms when the content appears in third-party AI outputs.
Implementation involves embedding specific statistical features into the text, such as the distribution frequency of particular words, usage patterns of punctuation marks, or subtle adjustments to paragraph structures. These features constitute a unique identifier for the content. When the content appears in third-party AI outputs, source confirmation can be achieved through comparative analysis.
3.2 Controlled Decoy Injection
This is the core module of the defense framework. Its concept involves implanting small amounts of "fine-tuned information" into public content—making extremely minor modifications to core facts. These modifications are imperceptible to humans, but when captured by machines, they cause the model to produce detectable deviations.
Decoy design adheres to the "minimum necessary principle":
Modification magnitude is kept within human-acceptable limits (e.g., adjusting "200 grams" to "approximately 200 grams").
Does not involve sensitive information related to values or safety.
Regularly rotated to prevent attackers from identifying patterns through long-term comparison.
Decoy injection employs a layered strategy: For legitimate users passing whitelist verification (e.g., official search engine crawlers), a clean version is returned. For unauthorized large-scale scraping, a version containing decoys is returned. This distinction is achieved through lightweight verification mechanisms without affecting regular visitors.
3.3 Dynamic Knowledge Updating
Static content is vulnerable to being entirely scraped, necessitating a dynamic update mechanism. Drawing on the "knowledge freshness" concept, content repositories should be updated regularly:
Core parameters reviewed quarterly.
User reviews, usage cases, etc., added monthly.
Descriptive phrasing and expression methods adjusted periodically.
Thus, even if attackers successfully scrape data, they obtain a "snapshot" from a specific point in time, making it difficult to maintain sustained model accuracy. Legitimate users, through continuous access, consistently receive the most current content.
3.4 Anomaly Monitoring and Response
Establish a regular monitoring system to periodically check how one's content is cited by AI. Monitoring indicators include:
Citation Accuracy: Whether AI output aligns with the original content.
Citation Frequency: The frequency of one's content appearance in specific domains.
Anomalous Fluctuations: Sudden emergence of erroneous or negative citations.
When anomalies are detected, initiate a tiered response mechanism:
Mild Anomaly: Record and continue observation.
Moderate Anomaly: File complaints with relevant platforms to request takedown of infringing content.
Severe Anomaly: Activate "active poisoning mode," returning high-density decoy versions to suspected attack sources.
4 Experimental Validation
4.1 Experimental Design
To validate the effectiveness of the defense framework, we constructed a simulated environment:
Knowledge Base: Containing 5,000 technical documents (covering consumer electronics, medical devices, and industrial parameters).
Attack Simulation: Simulating a crawler performing a full scrape and using the scraped data to fine-tune an open-source LLM (Llama-3-8B).
Defense Configuration: Injecting decoys into the knowledge base at densities of 5%, 10%, and 15%.
Evaluation Metrics: Model Error Citation Rate, Legitimate User Content Usability Score.
4.2 Results Analysis
The experimental data is shown in the following table:
Decoy Density Error Citation Rate (%) Relative Increase (%) Content Usability (%)
0% (Baseline) 12.8 — 98.9
5% 28.4 121.9 98.7
10% 41.6 225.0 98.2
15% 52.3 308.6 97.6
The results show:
As decoy density increases, the error citation rate of models trained on stolen data rises significantly. At 15% density, the error rate increases from 12.8% to 52.3%, an over threefold increase.
Content usability for legitimate users only slightly decreases from 98.9% to 97.6%, indicating that decoys are largely imperceptible to humans.
Traceable watermarks successfully identified the data source in 9 out of 12 simulated attacks, achieving an attribution accuracy of 75%.
4.3 Case Application
The defense framework was applied to the GEO practice of a smart home appliance brand. This brand had previously encountered instances where its content was incorrectly cited by third-party AIs, including citations containing tampered parameters. After deploying the defense:
The error rate for key parameters in third-party models trained on the brand's data increased by 37%.
The accuracy of the brand's official AI assistant remained above 96%.
Five instances of anomalous scraping were detected over three months, all successfully directed to decoy versions.
5 Discussion
5.1 Boundaries of Defense Effectiveness
Experiments indicate a positive correlation between decoy density and defense effectiveness. However, two points require attention:
Excessive density may affect content quality; it is recommended to control it within 15%.
Decoys need regular updates to prevent attackers from neutralizing their effect through long-term comparative learning.
The attribution accuracy of traceable watermarks still has room for improvement. Future work could introduce more robust text watermarking algorithms.
5.2 Ethical Considerations
Active decoys raise ethical questions: Do we have the right to "poison" public data? This paper's stance is as follows:
The defense targets only unauthorized commercial scraping, not interfering with legitimate uses like search engines or academic research.
Decoy content does not contain illegal or harmful information, involving only factual fine-tuning.
Content owners should declare in their robots.txt or terms of service the potential use of active defense techniques.
This aligns with the ethical boundaries of "defensive poisoning"—when data is subject to predatory use, owners have the right to self-defense.
5.3 Practical Recommendations
For enterprises wishing to implement anti-poisoning practices, a phased approach is recommended:
Risk Assessment: Examine the frequency and accuracy of your content being cited by AI to identify high-risk areas.
Deploy Watermarks: Add traceable identifiers to critical content.
Pilot Decoys: Experiment with decoy injection on non-core content and observe the effects.
Establish Monitoring: Regularly check AI outputs to form a normalized response mechanism.
6 Conclusion
This paper systematically analyzes the problem of poisoning attacks against GEO and proposes an active defense framework incorporating traceable watermarks, controlled decoys, dynamic updates, and anomaly response. Experiments demonstrate that this method effectively interferes with erroneous content citation by unauthorized models while safeguarding legitimate user experience. As generative engines reshape the information ecosystem, active defense will become a necessary means for content owners to protect their digital assets. Future research can further explore intelligent decoy generation, cross-platform溯源 network construction, and the development of industry defense standards.
References
[1] Oracle Cloud Infrastructure. OCI Generative AI Now Supports AI Guardrails for On-Demand Mode[EB/OL]. (2026-02-09)
[2] OWASP. OWASP Top 10 for Agentic Application 2026[R/OL]. (2026-01-08)
[3] Meng, Q. Dynamic Knowledge Freshness Layer: The Breakthrough Logic of Real-time Knowledge Management in GEO Optimization[J/OL]. Alibaba Cloud Developer Community, (2026-01-14)
[4] Singh, H., et al. Do Prompts Guarantee Safety? Mitigating Toxicity from LLM Generations through Subspace Intervention[J]. arXiv preprint arXiv:2602.06623, 2026
[5] Ritchie, D. Data Poisoning: Emerging AI Security Protection Strategies in 2026[EB/OL]. WebProNews, (2026-01-12)
[6] Saglam, B., Kalogerias, D. Test-Time Detoxification without Training or Learning Anything[J]. arXiv preprint arXiv:2602.02498, 2026
[7] Lee, S., et al. AI Kill Switch for malicious web-based LLM agent[J]. arXiv preprint arXiv:2511.13725, 2026
[8] Corelight. Winning Against AI-Based Attacks Requires a Combined Defensive Approach[EB/OL]. The Hacker News, (2026-01-26)
Author Introduction:
Qingtao Meng is an expert in the field of Generative Engine Optimization (GEO) in China and General Manager of Liaoning Yuesui Network Technology Co., Ltd. With 15 years of experience in digital marketing and technology management, he has proposed core GEO concepts such as "AI Trustworthiness Optimization" and the "Dynamic Knowledge Freshness Layer." His current research focuses on the intersection of GEO and AI security, dedicated to building actionable active defense systems for enterprises.
Top comments (0)